Democratising insecurity Bringing security weaknesses to the tech masses
Alistair Chapman /in/alistairchapman/
• Queensland University of Technology• Network Security Engineer• Trained as network engineer• Specialising in IDS and technical
architecture
• Corporate and IS Governance Consultant
au.linkedin.com/in/alistairchapman/
About Me
Alistair Chapman
Alistair Chapman /in/alistairchapman/
Context: Easy availability of simple VPS
• New container-based virtualisation• Lowered cost of entry to market• Increased competition, lower costs
• Simplified processes, minimal verification• Basic management and support
Alistair Chapman /in/alistairchapman/
Case Study: DigitalOcean
• Less than a cent per hour• Provisioned in under a
minute• 100%/99.9% SLA
• From 100 to 100,000 hosts in 2 years• Service built on quick
build, high quantity instances
Alistair Chapman /in/alistairchapman/
Case Study: OVH
• 15% growth in North America• Expansion from Europe to
North America in 2014• Offer full spectrum of
services from VPS to full storage-backed cloud infrastructure• Offer services from as
little as $3/month, all with SLAs.
Alistair Chapman /in/alistairchapman/
• OVH.com• Macincloud.com• Eurospace• Crocweb• DigitalPacific
• WHMCS
Problem: Poor account practices
“Plaintext Offenders”
Alistair Chapman /in/alistairchapman/
• Many providers offer pre-built template instances• Default passwords• Weak standard
configurations• Little to no warnings
Problem: Weak default configurations
Application Templates
Alistair Chapman /in/alistairchapman/
• Single-instance servers outside of corporate domain• May not fall under security
policies or centralised administration• Often provisioned ad-hoc,
or independently
Effect: Poor Management Control
Reduced effectiveness of controls
Secured Domain
VM VM
VM VM
VPS
UNSECURE
Alistair Chapman /in/alistairchapman/
• Weak default configurations combined with public access• Simple targets for email
spam• Additional risk for C&C
and botnet attacks
• Typical server uses are low-maintenance, low touch roles.• Administrators may not
check their servers for months at a time.
Effect: Increased risk of spam and C&C
Servers are “prime targets” Lower maintenance hosts
Alistair Chapman /in/alistairchapman/
Solution Overview
Secure Default Configurations
Secure Billing and Backend Services
Improved monitoring and governance of cloud services
Increased provider responsibility
Improved Cloud Security
Coverage
Alistair Chapman /in/alistairchapman/
Secure Default Configurations
• Particularly important for pre-configured application instances• Services should be
disabled by default.• Restrict initial access to
VPN for added security
Alistair Chapman /in/alistairchapman/
• Billing services should be secure at a process level• Customer data should be
transmitted when absolutely necessary.
Secure Billing and Backend Services
Billing Services WHMCS Example
Alistair Chapman /in/alistairchapman/
• NEVER EMAIL PASSWORDS• Secure KVM access to
virtual hosts• VM Control Panels and
APIs must be secure
Secure Billing and Backend Services
Authentication and Customer Data
Alistair Chapman /in/alistairchapman/
• Should be streamlined to encourage adoption• Hooks, APIs and
compatibility with external providers• Provide rudimentary
alerting system
• 100% Customer Responsibility• Keep external cloud hosts
under central IT• Use provisioning and
endpoint management where possible
Improved Monitoring and Governance
Monitoring Governance
Alistair Chapman /in/alistairchapman/
• Virtualisation provides unique opportunities• Take lead from ISP market• Public services should be
opt-in
• Identity Validation and tracking• Used to track abuse• Tiered levels of capability• DNS (ICANN)• SSL (subdomains)• PayPal
Increased Provider Responsibility
Active Monitoring Management Responsibility
Alistair Chapman /in/alistairchapman/
• Not a perfect product• Has the advantage of
multinational corporate backing• Global infrastructure and
near-unlimited funds a unique ability.
• Major corporate brand• Significant PR and client
commitments made
Case Study: Microsoft Azure
Overview Responsibility
Alistair Chapman /in/alistairchapman/
• Initial system accounts are set by user at provisioning• Host can be used with
external authentication• Strongly suggest use of
PowerShell for security
• Still uses insecure defaults• Uses “Endpoints” to hide
services• Primarily “security
through obscurity”
Secure Processes
Authentication Application Configuration
Alistair Chapman /in/alistairchapman/
• Allows for direct integration into existing infrastructure• Pre-provisioning
configuration available on some hosts• All communication done
through secure web portal
• Active, real-time monitoring available• Configurable alerts
available on all services• Tight integration with
existing (Microsoft) tools.
Secure Processes
Governance Monitoring
Vision of the Future
GOAL
STRATEGIES
TACTICS
OUTCOMES
Improved Security of Isolated Cloud Nodes
Improve OOBE
Security
Monitoring and
Governance
Secure Backend Services
Hardened application
Fully integrated instances
Holistic,Full-StackSecurity Model
Reduced Attack Surface
Improved Resource
Management
Effective Support Services
Alistair Chapman /in/alistairchapman/
• Verify standard system and application configurations• Perform and complete
active monitoring of instances• Change services to opt-in
where possible• Obfuscate insecure
services at provision-time• Secure communication only
• Never put default configurations in production• Never make insecure
services public• Install services only on an
as-needed basis• Configure ACLs, firewalls
and admin limits early.
Implementation Guidelines
Providers Users
Alistair Chapman /in/alistairchapman/
Summary
• Proliferation of providers and services is not a problem,
its an asset
• Improves customer choice
• Also makes security failing much more apparent and
accessible
• Responsibility lies with all stakeholders
• Holistic effort required to fully improve situation
Role-based model
• Improve new service templates and processes• Improve access to hardening and obfuscation
measures
APNIC Partners(Hosting
Providers)
• Pay equal attention to backend/billing service security
• Secure OOBE application configurations
Sysadmin | NetSec
Developers• Follow best practices for securing public services
and applications• Integrate into any existing governance and
monitoring
Users and Businesses
Thank You
Alistair Chapman(w) https://agchapman.com/(e) [email protected](ln) http://lnkd.in/bceQ5SG